This document covers the various settings available within the Cymatic platform.

Cymatic Protection
Disabling this feature will stop all activity and incident generation. The script does not need to be removed from the web application Cymatic is protecting.

Credential Defense

This section controls the various rules for your web app password requirements. Along with the requirements, you can also configure the help text for when the criteria is or is not met. The following is the list of criteria you configure within each category.

Password complexity

Length - minimum amount of characters
Uppercase - minimum amount of uppercase letters
Lowercase - minimum amount of lowercase letters
Numeric - minimum amount of numbers
Special character - Minimum amount of special characters

Password repeated characters

Maximum - This is the amount of repeated characters that will be allowed before Cymatic will reject the password. For example, if the limit is set to three, and the password includes 'aab', it will pass this check. However, if the password includes 'aaa', it will not.

Password sequential characters

Maximum - This is the amount of sequential characters that will be allowed before Cymatic will reject the password. For example, if the limit is set to three, and the password includes the string '121', it will pass this check. However, if the password includes the string '123', it will not.

Password darkweb

If enabled, Cymatic will perform a real-time lookup of the password being used against a database of known leaked passwords. The dark web lookup is controlled by Cymatic, and therefor the only configuration option is the message that appears for the lookup.

Password dictionary

If enabled, Cymatic will perform a real-time lookup of the password being used against a database of passwords that are commonly used in dictionary attacks. The dictionary lookup is controlled by Cymatic, and therefor the only configuration option is the message that appears for the lookup.

Security Chatbot

The security chatbot is used to provide feedback to the user regarding their device, location, dark web, and/or password strength health. If the security chatbot feature is disabled, it will not appear within the user's session.

Screen Placement

This controls where the security chatbot will be displayed. The choices are bottom left or bottom right.

Notification Message

This is the message that will be displayed to the user when the security chatbot initializes within the session.


This controls what content is displayed to the user. The selections are as follows:

Device - This will display a count of how many vulnerabilities have been reported against the operating system and browser version of the device the user is accessing your site with.

Location - Any vulnerabilities regarding the IP address of the user will be displayed here. This is a clickable link that can give further information into these vulnerabilities to educate the user regarding the current threats.

Dark Web - If the username and/or password of the user account have been compromised on the dark web, it will be displayed here. If the username has been compromised, there is a clickable link to display the campaigns that the username was exposed in.

Password Strength - If the password is weak according to current NIST standards, they will be reported here. The link is clickable to further educate the user regarding the issues with their password.

Awareness Banner

The banner configuration is used to educate the user interacting with your web application if their password has been compromised on the dark web. The configuration can be modified as follows:

Screen Placement

This is where the banner will be displayed. When ‘top of the screen’ is selected, the banner will remain at the top of the session. If ‘bottom of the screen’ is selected, the banner will be displayed at the bottom.

CSS Position

This controls the visibility of the banner when the user scrolls through the page. If ‘fixed’ is selected, the banner will remain visible regardless of scrolling. If ‘relative’ is selected, the banner will be affected by page scrolling and potentially not be visible as the user scrolls through the page.

Prepend on DOM Element

This controls where within the page the banner will be displayed. The default value is ‘body,’ however it can be modified to a custom HTML DOM selector if desired.


If ‘allow to be dismissed’ is enabled, the user will be able to dismiss the notification. If this feature is disabled, the user will not be able to dismiss the banner.

Show on Password Breach

This is where the message displayed to the user in the banner is configured. If you would like to notify the user on the amount of times their password has been compromised, use the keyword ${count} . If the ‘show on password breach’ feature is disabled, the banner will not display.

Bot Detection

Cymatic has the capability to detect different types of bots:

Zombie - Controls the browser using tools such as Selenium or Puppeteer to manipulate web elements.

Snippet - A snippet bot attempts to insert small portions of source code into a web page.

Autofill - Automatically inserts user data such as email addresses or passwords into the input fields of a web page form.

Code - A more advanced version of a snippet bot. This code manipulates the values of input fields by triggering browser events.

Each bot detection mechanism listed above can be enabled or disabled individually. If the detection for a certain bot type is enabled but no response selected, Cymatic will record the activity as a bot detection, however the request will not be blocked. Depending on which bot detection is selected, there are different actions available for how to respond when a detection occurs. The following are the available options for how Cymatic can respond to a bot detection:

Block Submit - The submit button on the form will become disabled.

Send a Fake Server Request - Cymatic will display a message on the form and reject the authentication attempt. This message can be configured in the ‘Fake server request’ text box.

Clear Username - The username field of the form will be reset to a blank value. This forces the entity to manually enter the username.


The sessions configuration is used to close out an active user session. To perform this action, each of the options need to be correctly applied.

Close Session

The URL to be used when a user is forced to log out.


Select the appropriate request to leverage the logout URL, either GET or POST.

Advanced Settings

The advanced settings section contains configuration options that are not used on a daily basis.

Logger - Controls the log level of the browser console. Under normal operations, the log level should be set to none. If you are actively troubleshooting an issue, the log level can be adjusted.

Close session when - If you have followed the guide on how to create a cookie for Cymatic, you do not need to use this setting. However, if you are using an existing cookie, and that cookie does not get removed at logout but instead has a state change, you can use this setting to enter a regex to let Cymatic know what state to look for. This will allow Cymatic to know when a user session is still active.


This section holds the configuration options for how Cymatic will integrate with your web app.


An optional image file can be uploaded for the site. This image will be used only within the Cymatic app to provide a visual representation of the site.

Site name

The name that the site will be referred to as within the Cymatic app.

Site URL

The URL that Cymatic will be deployed on. Please select the proper protocol from the dropdown for the site.

Site restrictions

The following are optional settings and in most cases do not need to be used.

Additional URL

In some scenarios, SDK initialization requests may come from a different origin than the primary site URL entered above. To cover these use cases, Cymatic offers a secondary URL configuration option so these requests are not blocked. An example would be if the service provider web app is integrated with a single sign on identity provider. To capture the entire authentication process, Cymatic would need to be deployed on both the SP app and the SSO. In this case, the service provider web app would be the primary URL and the SSO would be the secondary.


Continuing on with the scenario described, it is possible that although Cymatic is deployed on the SSO app, it may not be installed on every service provider app. This can cause discrepancies in the data provided within the Cymatic app. To accommodate this scenario, You can enter URI query string attributes. For example, if was the SSO, a complete URL for the form might look like this:

For this example, the additional URL and attributes field would be filled out as follows:

When defining an additional URL, It is not necessary to define any URI attributes unless your use case is similar to the one outlined above.
Page Integrity

The purpose of page integrity is to scan different pages within your web application for functions that are in use.

To create a new scan, click on the ‘New Page’ button in the upper right corner. In the ‘Page Name’ text box, give the scan a meaningful name. In the ‘Application Scan’ section, there are three values. The ‘Site’ text box is not configurable as it uses the FQDN of the site instance. In the ‘Page URL’ text box, enter the relative URL of the page to be scanned. If you would like to scan the home page, enter / for the URL. Finally, choose a value from the dropdown menu for the scheduled scan frequency.

Once the above options are configured, you can either click on the ‘Run Scan’ button to run a scan on the page immediately, or click on the ‘Save Changes’ button to save the scan and have it run at the configured frequency. A dendrogram of the scripts discovered during scans can be found on the scan page. A history of the completed scans can be leveraged to determine when script modifications occurred.

Known Domains

Known domains are domains that have been identified by Cymatic to be making external network calls. When the site is first created, the FQDN of the site itself is added to this list as a trusted domain. This domain cannot be changed to an untrusted domain.

When a new domain is seen in a cross-origin resource sharing(CORS) attack as detected by the CORS play, it will first be displayed on the home page in the unknown domains category of the tasks to review section. Each domain listed in the unknown domains category can be categorized as either trusted or not trusted.

Once the categorization is made, it will now show up on the known domains page with the chosen categorization. If the domain categorization needs to be changed from its current status, it can be performed on the known domains page. Trusted domains are not affected by any plays. Untrusted domains will create an incident when seen again and be handled in accordance with the configured action in the CORS play, if it is enabled in a playbook.


The contents of the installation section are used to deploy and configure the settings required for a basic deployment. For more detailed information on how to deploy Cymatic, please refer to the Basic Deployment guide.

SDK snippet

The SDK snippet is available in this section to be used in the deployment of the web app that the Cymatic site was created for.

Session cookie

This is where the session cookie name is configured. The cookie is used to help Cymatic determine a successful authentication and log the user's complete journey within your web app. For more information on how to configure the cookie within your web app, please refer to the Verifications, Profiles, Session Visibility and Control guide.
Was this article helpful?
Thank you!